Not an option: time for companies to embrace security by default

In this op-ed, a cybersecurity researcher argues that major companies are leaving customers at risk by not enforcing security by default. The opinions expressed here do not necessarily represent the opinions of Ars Technica.

Major social networks, e-mail providers, and communications companies offer products with insecure default settings, needlessly exposing their customers to hacking, identity theft, and government surveillance. Some firms offer security options that can be used to protect against common attacks; however, they are frequently so hidden in obscure configuration menus as to be invisible to the average user. Consequently, most consumers don't know about these options, and so they neither seek them out nor enable them.

Voicemail security

Voicemail hacking in the US is shockingly easy. By using free, Web-based services, anyone, regardless of technical skill, can "spoof" caller ID information and break into millions of vulnerable wireless accounts.

Prior to last week, of the four major carriers in the US, Verizon was the only company always to require a PIN whenever consumers checked their voicemail. AT&T and T-Mobile were both vulnerable to hackers, as the companies didn't ask for the PIN when subscribers called from their own handsets (or from any other phone that spoofed its caller ID information).

On Friday, AT&T announced a change to its security defaults. All new AT&T wireless subscribers will now be required to enter a PIN when checking their voicemail, even if they are checking it from their own phones. Furthermore, in early 2012, all customers upgrading or replacing their phones will also be migrated to strong security by default.

After years of arguing that the choice to enable strong security was something best left to consumers, AT&T has finally decided to make security the default. For that reason, the company should be praised.

In contrast, T-Mobile continues its poor default security settings. In the small print on its website, the company "recommends that you turn on your voice mail password for added security, but as always, the choice is yours."

Sprint also leaves the decision up to the user. As part of the voicemail configuration process, Sprint requires its customers to select whether they wish to enable the PIN bypass option. Although it recommends against enabling the feature, Sprint's security advice focuses on the threat of a lost or stolen phone. The company does not tell its customers about the existence or ease of voicemail hacking techniques. Unsurprisingly, the majority of Sprint customers choose to bypass the use of a PIN, and are thus vulnerable to hacking.

Shifting security decisions to the user means that the companies can avoid all blame. If only more of the company's subscribers would listen to vague advice regarding the PIN bypass feature, instead of foolishly trading security for convenience, then the problem of voicemail hacking would disappear.

The take home message here is clear: if you use T-Mobile or Sprint and get hacked, it's your fault.

Encryption and the cloud

These voicemail security problems are surprisingly similar to those that plague the Web.

When consumers connect to Facebook, Twitter, or Hotmail—as well as many other popular websites—they are at risk of account hijacking. This kind of attack, which is particularly easy to perform on public WiFi networks, is used to gain unauthorized access to others' accounts. These services are vulnerable because they do not use HTTPS encryption to protect all data as it is transmitted over the Internet.

Freely available tools that automate account hijacking have existed for several years, although the October 2010 release of Firesheep made these attacks accessible to the point-and-click crowd. Nearly one year and 1.7 million downloads later, many popular Web services are still vulnerable.

Although Google uses HTTPS encryption to protect Gmail by default, this has not always been the case. The company has always offered Gmail over HTTPS, and starting in 2008, it even offered a configuration option to force the use of encryption. At the time, the company stated that the decision to use HTTPS was a choice best left to the user; indeed, Google didn't advertise the existence of the option, and it was the last of a dozen configuration settings, listed after the vacation away message and Unicode text encoding settings.

Thanks to its eventual decision to embrace HTTPS by default, Google's customers can all now safely check their e-mail at Starbucks. The same cannot be said for the hundreds of millions of users of Facebook, Hotmail and Twitter.

Unfortunately, these options are not turned on by default, nor have they been widely advertised to users. As a result, few consumers are currently protected against hijacking attacks. For example, in July, eight months after Microsoft first offered HTTPS protection, the company revealed that only 2 million of the 500 million users of Hotmail had enabled the option.

Microsoft's decision to make HTTPS an opt-in feature means that more than 99 percent of Hotmail users are still vulnerable to account hijacking. It's likely that a similar number of Facebook and Twitter users remain vulnerable.

Conclusion

Google, Verizon, and AT&T have done the responsible thing by providing consumers with products that are secure out of the box (at least, secure against the attacks described here). Shamefully, their competitors continue to deliver products and services that can be hacked in seconds with idiot-proof, freely available tools. Instead of security by default, they offer obscure security settings that the firms "recommend" consumers set, via small print that no consumer ever reads. This is not a commitment to security, but rather a gift to identity thieves, stalkers, and intelligence agencies.

It's time for these companies to put their customers first. It's time to make privacy and security the default.

Christopher Soghoian is a Graduate Fellow at the Center for Applied Cybersecurity Research at Indiana University.